Exchange Distribution Group Creation Report

Introduction

For some organizations, allowing end users to create and manage their own Distribution Groups is a standard practice. It usually alleviates work from ServiceDesk or second/third line support teams and gives users more responsibility and freedom to perform their role.

Although this is not enabled by default in Exchange 2016, it is easy to enable it. Since Exchange 2010, that the MyDistributionGroups management role enables individual users to create, modify and view distribution groups, and to modify, view, remove and add members to distribution groups they own:

Figure 1

While this is indeed a great feature for some organizations, it is always important to have a good naming convention in place and ensure that users adhere to it. But no matter how much we tell users how they should be creating a distribution group, we all know there will be situations where the group is not created as it should have been.

In one hand, for IT to check every day all the groups users created would cause some overhead. On the other hand, leave them for too long and then it might be difficult to rectify a wrongly-created distribution group. So why not automatically generate a report when new groups are created for IT to look at? That way they do not need to keep constantly checking and it is quick and easy to make sure the newly-created groups are OK. So let’s get to it.

Distribution Groups I Own

Using Outlook on the Web (or Outlook Web App or simply OWA as it is most commonly known), users can create and manage their own distribution groups:

Figure 2

For this article, I will create a few test groups pretending to be an end user:

Figure 3

Once I am done, I can see all the groups I created:

Figure 4

Now that we have a few groups, let us start with the script.

Script

Using the Get-DistributionGroup cmdlet and the WhenCreated property we can easily check recently created groups. For example, if we want to get a list of all the groups created in the last 24 hours, all we have to do is run the following cmdlet:

But what about when users create a group and then delete it? Do we want to know about it? Personally, I would want to know in case users are creating loads of test groups and then deleting them, as I have seen happening. To cater for these cases, we will use the Administrator Audit Logging which tells us everything that changes in Exchange, including the creation of groups. As such, we need to make sure this feature is enabled (which it is by default), and that is capturing at least the New-DistributionGroup cmdlet. We do this by using the Get-AdminAuditLogConfig cmdlet and the Set-AdminAuditLogConfig if necessary:

Figure 5

Once we are certain the admin audit logs are capturing the information we need, this is what it will look like when we search for created groups using the Search-AdminAuditLog -Cmdlets New-DistributionGroup cmdlet (the following output has been truncated to only include relevant information):

Using this information, we can see who created which distribution group, even if they deleted it straight after!

To start with, we define a couple or parameters. The LogFile parameter is used to specify a log file (and location if we want to) to record whenever a report gets sent , while the NoLog switch is used to specify that the script should not log this information.

For this example, our script will be running every hour and will search the logs for any distribution group created in the last hour. Obviously we can change it to run every 5 minutes, every 24h, once a week, etc.

Write-Verbose "Searching Admin Audit Logs"

$strStartFrom = (Get-Date).AddMinutes(-60)

Now we start searching the Admin Audit logs, but first we create an array to hold objects for every distribution group we find containing the information we want to include in the report:

Once we find a group, we will use the ObjectModified property of the log entry which contains the group name in the following format:

<domain>/<OrganizationalUnit>/<Name>

Such as:

nunomota.pt/Users/Dept - Information Technology

As we only want the name, we need to split this string by “/” and get the string after the last “/”:

$DG = $_.ObjectModified.Split("/")

$DG = $DG[$DG.Count - 1]

To find out who created the group, we use the Caller property of the log entry, which is in the same format so we use the same approach as above. However, Caller shows the account name of the user but I am also interested in its DisplayName so we use the Get-Mailbox cmdlet as well:

$user = $_.Caller.Split("/")

$user = $user[$user.Count - 1]

$userDN = (Get-Mailbox $user).DisplayName

At this stage, we have found at least one distribution group created in the last hour, but how do we know if it still exists? We could search the Admin Audit Logs again for any entry for Remove-DistributionGroup, but the approach I took is to use Get-DistributionGroup. If the $group variable ends up empty, we know that group has been removed:

$group = Get-DistributionGroup $DG -ErrorAction SilentlyContinue

We now have almost all the information we want, so we can create an object to store it. First, we check to see if the group was created by an administrator, in which case we are not interested in it being included in the report (remember to replace “admin” with the name of the administrator you want to exclude, and to add more checks if you want to exclude multiple administrators).

We then create the object, include when the group was created, the user alias and/or display name (in my case I am only including the alias, the group’s display name, the email address and how many members it currently has). Using If ($group) we will be able to tell if the group still exists or not. If not, we just write “DG Deleted” in the report.